TRACs Security Awareness FY2009 Office of Information Technology Security 1

Course Objectives Why Is Cybersecurity Important? How Can I Be a Safe User? How Can I Help Protect HUD and Its Information? 2

Overview CyberSecurity Goals Managing and Understanding CyberSecurity Risks CyberSecurity and Protecting HUD Information and Computer Network Threats Impacts Vulnerabilities 3

CyberSecurity Goals Confidentiality – Limiting access to information to authorized persons only Integrity – Protecting information from unauthorized or unintentional modification Availability – Ensuring that information and resources are available to those who need it when they need it 4

Risks & Risk Management 5 Risk is the danger that is posed to a protected object by a combination of threats & vulnerabilities

Components of Risk Threat: Any person, event, or environmental factor that could impact or harm a Protected Object Vulnerability: A weakness that can be exploited by a threat. It is the hole through which a threat gains access to a protected object Impact: The way a protected object could be affected or harmed by a threat 6

Threats A threat is any person, event, or environmental factor that could impact or harm a protected object. Threats can be either active or passive. Active Threats:Passive Threats: Hackers Cyber warfare Malicious code Information gathering Identity theft Hurricanes Power failure Software glitches Human error 7

Threats: Hackers What is it? Unauthorized access to information or computer systems Examples include anti-government groups a "kid in the basement“ a disgruntled employee Criminals Trained cyber warriors How can it harm? Loss of Data Identity Money Credibility System availability 8

Threats: Hackers Do Be suspicious Be careful with your Personal data Passwords Sensitive organizational information Report suspicious activity Practice security habits at all times and in all places Don't Give out non-public information about yourself or your organization Follow directions of others without confirming the person's authorized role Attempt to modify or bypass security measures 9 What can I do?

Threats: Cyber Warfare What is it? An organized attack against a computer system or network by a hostile group. It is often used as part of a physical warfare strategy.hostile group How can it harm? Impair nation's economy, critical infrastructure, or our ability to fight a physical war.critical infrastructure What can I do? Follow security guidelines and policies 10

Threats: Malicious Code What is it? Software designed to: disrupt the normal operations allow an unauthorized access Often called "viruses” Examples: Viruses Worms Trojan Horses Adware or Spyware 11

Threats: Malicious Code How can it harm? Sharing sensitive data with unauthorized persons Performance malfunctions including computer crashes Files and records destruction Connection overload causing denials of service 12

Threats: Malicious Code Do Only accept files from valid sources Scans files from outsiders for malicious code Ensure antivirus software is installed and kept up-to-date Don't Download files from questionable sources Modify or disable antivirus software Load suspicious media on your computer 13 What can I do?

Threats: Information Gathering What is it? Collecting personal or sensitive information that an attacker can use to bypass security systems. Common techniques: Shoulder surfing Dumpster diving Data mining Searching online sources Social engineering Phishing 14

Threats: Information Gathering How can it harm? Loss of Data Identity Money Credibility or Reputation 15

Threats: Information Gathering Check your surroundings Be suspicious Verify identities Safeguard personal information Don’t volunteer information Check security settings on the web Shred sensitive material Contact organizations by telephone if there is any doubt as to the authenticity of an or Web site 16 What can I do?

Threats: Identity Theft What is it? A crime in which someone wrongfully obtains and uses another person's personal data in a way that involves fraud or deception. Items often stolen are: ID badges, user names and passwords, social security numbers and credit card or bank account information. 17

Threats: Identity Theft How can it harm? Obtain credit in you name Incur fraudulent charges Open accounts Access anything your identity is used to protect. What can I do? Protect your personal information and that of others 18

Threats Summary 19 Immediately call HUD’s Call Center at If you encounter suspicious events on a HUD System: If you receive an at home that appears suspicious, call or contact the organization listed in the From line before you respond or open any attached files

Vulnerabilities A vulnerability is a weakness that can be exploited by a threat. It is the hole through which a threat gains access to a protected object. Common vulnerabilities include: Weak or unprotected credentials or passwords Program installation or modification Peer-to-peer software File transfers Removable media 20

Vulnerabilities: Weak or Unprotected Credentials & Passwords What is it? The use of credentials to confirm a user's identity and grant access to a computer system. How can it harm? Allowing unauthorized access to HUD’s network Data breaches, theft or unauthorized modification 21

Vulnerabilities: Weak or Unprotected Credentials & Passwords What can I do? Keep your credentials (your passwords and smart cards) safe. Protect them like you do the keys to your home Never allow another person to use your credentials to log in as you. 22

Vulnerabilities: Weak or Unprotected Credentials & Passwords Do’s Select a unique password of 8 characters or more Use 3 of the 4 available character types including caps, numbers & symbols Change passwords as necessary Think creatively when creating passwords Don’t Share passwords with anyone Use the same password for multiple accounts Create group passwords Write down passwords Base passwords on information that might be guessed Begin your password with a real word 23 What can I do?

Vulnerabilities: Program Installation or Modification What is it? Program installation refers to loading software onto Department computers. Program modification refers to changing the settings of existing programs. 24

Vulnerabilities: Program Installation or Modification How can it harm? Hackers often use software vulnerabilities to exploit a network Every software program used by HUD is tested first and configured for safe use New programs or settings that have not been tested or controlled by system managers can create unknown vulnerabilities 25

Vulnerabilities: Program Installation or Modification What can I do? Understand how your business relies on information and information technology No non-standard software without prior approval Do not download or install unauthorized programs Do not make changes to security settings 26

Vulnerabilities: File Transfers What is it? Term used to describe the movement of files between computers. Common methods include: Downloading files from the Internet Receiving attachments Copying files from removable media like CDs, floppy disks, and USB drives Peer to Peer 27

Vulnerabilities: File Transfers How can it harm? Inadvertent introduction of malicious code The most common source of virus infection is attachments, followed by Internet downloads 28 What can I do? Before transferring anything to your computer, consider: Rule 1: If you don't need it, don't download it! Rule 2: If you need it, do you trust the source? Rule 3: Scan files that are coming from outside the Department with virus protection software before opening

Vulnerabilities Summary 29 Immediately call to HUD’s Call Center at a security incident if you encounter suspicious events on a HUD System:

Impact The way a protected object could be affected or harmed The way your mission operations could be affected or harmed 30 “It’s all about protecting the information, not computers.” Ira Winkler, The Grill Interview, Computerworld, July 28, 2008

Minimizing Impact Actively manage security risks Building Security In Reducing Exposure Standardizing Operations Enhancing Awareness and Competencies Act Securely 31

Minimizing Impact What information does your mission rely on? Where does that information reside? Who has access to that information? How reliable or accurate is that information? What is the back up plan should that information become unavailable? 32

Joyce M. Little Director, Policy and Management Division Office: Fax: Marian P. Cody Chief Information Technology Officer Office: Cell: Fax: John S. Hawkins Security Awareness and Training Office: Fax: Contact Information: 33